DE.AE-02 Adverse Event Analysis - NIST CSF 2.0 Checklist

DE.AE-02 requires organizations to potentially adverse events are analyzed to better understand associated activities. This NIST CSF 2.0 control falls under the Detect (DE) function and the Adverse Event Analysis category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: DE.AE-02
Title: Adverse Event Analysis
Function: Detect (DE)
Category: Adverse Event Analysis
Framework: NIST CSF 2.0

Potentially adverse events are analyzed to better understand associated activities.

Potentially adverse events are analyzed to better understand associated activities. Detected events are investigated and correlated to determine their nature, scope and potential impact on the organization.

Why This Matters

Raw alerts are meaningless without analysis. Event correlation and investigation separate true threats from noise and enable the organization to understand the scope and severity of potential incidents.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of DE.AE-02.

Correlate events from multiple sources using a SIEM or equivalent platform
Define event analysis procedures for common alert types
Enrich events with threat intelligence and asset context
Establish escalation criteria for events that may constitute incidents
Document event analysis findings and outcomes
Maintain analyst playbooks for recurring event types

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with DE.AE-02 during an audit.

SIEM correlation rules and use case documentation
Event analysis procedure documents or playbooks
Sample event investigation reports with correlation evidence
Escalation criteria documentation
Threat intelligence enrichment configuration

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with DE.AE-02.

SIEM collects logs but has minimal correlation rules configured
No documented procedures exist for analyzing specific event types
Events are investigated ad hoc without structured playbooks or consistent documentation

FAQ

What does DE.AE-02 require?

DE.AE-02 (Adverse Event Analysis) requires that potentially adverse events are analyzed to better understand associated activities. Detected events are investigated and correlated to determine their nature, scope and potential impact on the organization. This control is part of the NIST CSF 2.0 Detect function under the Adverse Event Analysis category.

How do I prove compliance with DE.AE-02?

To demonstrate compliance with DE.AE-02, prepare the following evidence: SIEM correlation rules and use case documentation; Event analysis procedure documents or playbooks; Sample event investigation reports with correlation evidence. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment